Threat of the Week: APT Will Get You

Absorb the devastating security news: in a very short span early this year it was revealed that the New York Times,Wall Street Journal and Washington Post had suffered significant website penetration by highly skilled hackers who are believed to be associated with the government of China.

If you are not afraid, you aren’t paying attention.

What is occurring is a rapid ramp up of sophistication of cyber attackers and, in many cases, they are seeming to get the jump on those tasked with protecting sensitive websites.

In the case of the big media hacks, it appears the hackers entered the systems with specific shopping lists in hand, namely, they wanted information pertaining to possible coverage of the wealth accumulated by outgoing Premier Wen Jiabao -- said to have raked in a family fortune around $2.7 billion.

The Chinese hackers, apparently, wanted advance notice of what was coming out in print and they also wanted to sift through the work files of reporters on the story.

Traditional hacking is opportunistic, hit and miss and run. Put up a show of defense and, in many instances, that’s plenty to thwart an attacker.

Not so what security professionals call APTs – advanced persistent threats. “They are low and slow. Very targeted. Hard to defend against” said IBM Vice President Marc van Zadelhoff.

The apparently Chinese attackers did not want entry into any newspaper. They wanted to crack the leading media that shape top-level U.S. opinion about China. That’s what they targeted. That’s what they broke into.

“These are very sophisticated attackers,” said Michelangelo Sidagni, chief technology officer at NopSec, a New York security firm. “They got log-in information for many reporters.”

Mandiant – the security firm brought in by the Times and the Post to unravel what was occurring inside their systems – has issued a glum take on the outlook for APTs emanating from Beijing. (The free report is here.) It expects no reduction in APTs and they may in fact increase.

How did the Chinese hackers gain entry into well-protected systems? The old-fashioned way, said Sidagni, who indicated they apparently used phishing attacks that baited target reporters into clicking on links they shouldn’t have. “People think hacking is technical but the weakest link usually is human.”

It might take many months of emails before a target clicks on a bad link but, with APT, time is on the attackers’ side. Patience is their virtue and, sooner or later, they believe they will gain entry.

Protecting against this starts by recognizing that traditional anti-virus tools are near to worthless. “There are many ways to bypass them,” said Sidagni.

He urged institutions to seriously monitor their intrusion logs – sometimes ignored by many organizations, he said.

As for exactly what else credit unions can do to toughen their barriers to entry against APT attackers, Ken Baylor – a vice president at NSS Labs and a former vice president for security at Wells Fargo – said, “It’s not easy. Guarding against attackers with these skills and focus requires a complete re-think of security.”

He ominously added that there is ample evidence that, already, nation state APT attackers are sniffing around inside financial institutions. So far, he stressed, they have perpetrated no frauds that have been detected “They seem focused on gathering information,” he said, and elaborated it might, for instance, be hunting for data about who is paying a certain politician how much.

But that could change. These attacks could morph into classic fraud and, right now, many financial institutions are poorly defended against this.